what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Thursday, February 17, 2011

Why PT without FW/IPS Evasion is not reliable Part 2

So, part 2 is here, i have received several mails to blog on this.

This attack is simulated with a Cross Site Scripting vulnerability, example www.bank.co.ke. So what happens is the attacker discovers a flaw on the website where user inputs are not sanitized. Www.bank.co.ke, sits in the banks Server Farm, inside the DMZ well protected by the Cooperate Firewall. In the Server farm are DB servers, Mails Servers, Domain servers and the Web server etc.

So what happens is the hackers injects code into the website and convinces a techi support user to check the link out. The link has full website address, but the other injection parts are encoded for disguise, and the IDPS (Intrusion Detection Prevension System) sensors does not pick that when going to his email.

The attacker has a remote zombie which has an exe embedded to a js script, so he will send an encode format of an url that sounds like below (this needs to be encoded to bypass Intrusion sensors and filters)

The character // --> is meant to comment out anything that gets generated up to that point. Then we have the next step of the payload where a script is hosted on attacking server which has the exploit ready for the client. Its downloaded and is executed on the Users PC. From there, we have an SSLED tunnel, from inside cooperate LAN to zombie server via a command prompt. So the attacker can control the PC from his laptop via the zombie through a tunnel which is not detected at the FW and IDPS centre.
There is so many other ways to inject malicious code on websites, which can fully trick users to engage with the exploits without their will. These attacks will need to be obfuscated to avoid AVs and Intrusion Sensors

Questions and comments can be done below. If you wish to know how far more the exploitation can go, please comment or mail me, i will be happy to recreate a full post as part 3.

Wednesday, February 16, 2011

Yes, An old Friend scanned the site...

Was with one of my friends the other day and he had just set up a financial website, and he was telling me that they will be doing serious stuff with several Financial institutions all over Africa.

So the discussion about security came up, and boldly said, "Old Friend from India did a Penetration Test on it by, scanning it, now its safe and secure" So he actually did not even do this for his comfort but wanted to pass Compliance test from some banks and CBK. I don't like pointing fingers, but i think the CBK, should also regulate how such Assessment and Audits are done. CBK should update their mandate on such matters.

So the box , LAMPs, several organizations use, has several vulnerabilities or rather non-hardened LAMPs. Hackers will always look for such default installs and if found will probe for more information and use such intel to exploit further, especially if they see a gain, financially or Infrastructure-wise. So lets look at a few tips on how to harden the LAMPs. These tips are just 10% of what you should do to protect a LAMP. Otherwise, if they have not been done, you have a 0% security on your webserver.


No one needs to know which version of apache or php your are running, when browing your site, except hackers. So inside httpd.conf, change the ServerSignature from On to Off. Below there is ServerTokens, change from OS to PROD. Also inside php.ini file, there is expose_php which is on, turn it off, also change SafeMode to ON from Off. There are also some dangerous configurations which need to be turned off, in disable_functions=

After that restart Apache.


You will need to install a WAF, to protect against online login bruteforces, web directory bruteforce, and other forms of attacks. PHPIDS is another solution which needs to be installed. PHPIDS is capable of detecting attacking pattern strings, e.g File Inclusions either remote or local attacks, SQLIs, XSS etc.


Sometimes developers like to have files like phpinfo. These files expose paths to web folders, server kernels and internal IPs. Was doing a Pentest last year where i found one. Prior to that, i had no idea that the webservers had connectivity to internal business networks. The internal security personnel had no idea either, so during the test, i found one on a server and it had an internal connectivity. That's when i released the Admins had deployed internal IPs to the network for easier access of the Webservers. So these phpinfo files, remove them. Other folders are like /phpmyadmin, /mysql, /admin etc which need to be blocked from the public.


Directory listing is on immature mistake developers and webmasters make. Most of the Apache servers will have these turned on. Inside httpd.conf, edit Options Indexes FollowSymLinks to Options -Indexes FollowSymLinks.

The other security fixes are much more exercised by Security Personnel in your organization. These will include Code analysis, Checklists, Top Owasp risks test, Penetration testing, Vulnerability Assessments etc.

Any questions, comments, please post below.



Thursday, February 10, 2011

Why PT without FW/IPS Evasion is not reliable Part 1

Many attackers out there, Cyber armies, black hats, Investigators etc, who want data from your Network/Infrastructure will stop at nothing to try evade all Access Controls that cooperates have. Due to this, its the responsibility of security companies hired to demonstrate this vulnerability and try to recommend many ways of blocking the security flaws that can be used for FW/IPDS evasion.

On the picture shown is one example. Here, an attacker with a laptop sitting somewhere sends a Malware to a user inside the network. So all he will need to do is to wait for the user to open his document that was attached on mail, and he will run code on the victim and a tunneled control channel is applied via the Firewalls to his box. This is well achieved via ssl-tunneling.

I have taken sometime to test this attack on several banks in Kenya, and it was well achieved unlike try outs in Fast world countries, which needs more recon of IPDS sensors and Firewalls. I will be continuing this with Part two in the coming week.

For questions, check below.